A stored XSS vulnerabily was discovered in the ShoutBox module of the enterprise application "BlueSpice Wiki".
|Title||BlueSpice Shoutbox – Stored Cross-Site Scripting|
|Product||BlueSpice for MediaWiki Plugin: ShoutBox|
|By||Frederic Mohr / LastBreach Vulnerability Lab|
“BlueSpice free is the free wiki version of BlueSpice, based on MediaWiki and extends it with lots of useful features, which easen the everyday work with your wiki. BlueSpice free supports you with its free of cost functions for quality assurance, process support, administration, editing and security. Just download it and install BlueSpice!”
Source: http://bluespice.com/products/bluespice-free/ Vulnerability overview/description:
By default, BlueSpice security settings require a user to be logged in to use the ShoutBox. However, the default settings also allow for self registration.
This vulnerability can be leveraged to send a malicious script to an unsuspecting user. The victim’s browser will execute the script, as it has no way of knowing that the script should not be trusted. By exploiting this vulnerability an attacker is able to trick users into unknowingly performing actions on the attackers behalf.
After login, the attacker is able to exploit the vulnerability simply by posting raw JS code in the ShoutBox comment field. Posting the following code snippet, will produce a popup box containing the message “Stored XSS”.
The code is executed by any user visiting the page that contains the comment, if the ShoutBox is selected.
The vulnerability has been verified to exist in BlueSpice for
Mediawiki Version: 2.23.1, which was the most recent version at the time of discovery.
Vendor contact timeline:
2015-06-01: Contacted vendor through firstname.lastname@example.org
2015-06-03: Vendor response requesting detailed description
2015-06-03: Provided detailed description
2015-06-09: Vendor response acknowledging vulnerbility, approximate patch date is set to 2015-06-27
2015-06-10: Provided vendor with patch for this vulnerability
2015-06-21: Contacted vendor asking for status
2015-06-23: Answer from vendor: a release date of update is set to 25th, June vendor will send notification upon release.
2015-06-24: Patch published in git repository
2015-06-28: Contacted vendor asking for release of new version on download page and/or customer notification
2015-07-02: Vendor published customer security notification
2015-07-09: LastBreach releases advisory
Update BlueSpice for MediaWiki to version 220.127.116.11.
If updating to the current version is not possible, the vulnerability can be mitigated by applying the patch manually. The necessary information can be found in the patch commit.